From patchwork Tue Mar 5 04:17:03 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ankur Sharma
X-Patchwork-Id: 1051607
Return-Path:
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
spf=pass (mailfrom) smtp.mailfrom=openvswitch.org
(client-ip=140.211.169.12; helo=mail.linuxfoundation.org;
envelope-from=ovs-dev-bounces@openvswitch.org;
receiver=)
Authentication-Results: ozlabs.org;
dmarc=fail (p=none dis=none) header.from=nutanix.com
Authentication-Results: ozlabs.org;
dkim=fail reason="signature verification failed" (2048-bit key;
unprotected) header.d=nutanix.com header.i=@nutanix.com
header.b="Ze+X9u8K"; dkim-atps=neutral
Received: from mail.linuxfoundation.org (mail.linuxfoundation.org
[140.211.169.12])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
bits)) (No client certificate requested)
by ozlabs.org (Postfix) with ESMTPS id 44D3sd6PQkz9s4Y
for ;
Tue, 5 Mar 2019 15:32:53 +1100 (AEDT)
Received: from mail.linux-foundation.org (localhost [127.0.0.1])
by mail.linuxfoundation.org (Postfix) with ESMTP id 8A825F0E6;
Tue, 5 Mar 2019 04:32:21 +0000 (UTC)
X-Original-To: ovs-dev@openvswitch.org
Delivered-To: ovs-dev@mail.linuxfoundation.org
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id C9284EA39
for ; Tue, 5 Mar 2019 04:17:08 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from mx0b-002c1b01.pphosted.com (mx0b-002c1b01.pphosted.com
[148.163.155.12])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 6CFA2180
for ; Tue, 5 Mar 2019 04:17:07 +0000 (UTC)
Received: from pps.filterd (m0127844.ppops.net [127.0.0.1])
by mx0b-002c1b01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id
x254F3mk006204
for ; Mon, 4 Mar 2019 20:17:06 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com;
h=from : to : cc :
subject : date : message-id : references : in-reply-to : content-type
:
content-transfer-encoding : mime-version; s=proofpoint20171006;
bh=IQcB/LcejjiAxDnOpqtlRFMKZtLBdiTxKURDSQhiAs8=;
b=Ze+X9u8K3RNwAgiNjcBXKEmpWtn2iiIvRVJRYRkp5JnaFdoElfAIF/z3jxEMuD/hOeq1
2r7gXRt2+CZqhT+uXQbQ+3DjMOMof7dTbiByE7k1F56lxgWdfBd/za+rpZGtZWRyYs7o
AUItudjRDu/lvEJqRsxv16MBmuoMDmgSUp7ShyYol0O65b/phXh6aAMLRsZYgzRFwos/
L9Jw3szwGuBEV/SLuWH2z01Z+RjryGj2C7wNf0k6DcHfZ4BkcK9ro5rWZyeUsgE0HE09
VvbQ9WSSBaZzOASA56eSXPwDHUGohtKR7WQO+JwuKEVpQZm89VTrQUuuXHz8kF20Tfme
sA==
Received: from nam03-by2-obe.outbound.protection.outlook.com
(mail-by2nam03lp2058.outbound.protection.outlook.com [104.47.42.58])
by mx0b-002c1b01.pphosted.com with ESMTP id 2qyt83c76x-1
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT)
for ; Mon, 04 Mar 2019 20:17:06 -0800
Received: from MW2PR02MB3899.namprd02.prod.outlook.com (52.132.178.28) by
MW2PR02MB3737.namprd02.prod.outlook.com (52.132.177.138) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.1665.19; Tue, 5 Mar 2019 04:17:04 +0000
Received: from MW2PR02MB3899.namprd02.prod.outlook.com
([fe80::4976:1b78:f55b:3cfd]) by
MW2PR02MB3899.namprd02.prod.outlook.com
([fe80::4976:1b78:f55b:3cfd%8]) with mapi id 15.20.1665.020;
Tue, 5 Mar 2019 04:17:04 +0000
From: Ankur Sharma
To: "ovs-dev@openvswitch.org"
Thread-Topic: [RFC PATCH v2 1/3] OVN ACL: Replace the usage of ct_label with
ct_mark
Thread-Index: AQHU0wpJYs/mxXkkY0uzM9dXNVcQ7w==
Date: Tue, 5 Mar 2019 04:17:03 +0000
Message-ID: <1551759463-61412-2-git-send-email-ankur.sharma@nutanix.com>
References: <1551759463-61412-1-git-send-email-ankur.sharma@nutanix.com>
In-Reply-To: <1551759463-61412-1-git-send-email-ankur.sharma@nutanix.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-clientproxiedby: BYAPR01CA0049.prod.exchangelabs.com (2603:10b6:a03:94::26)
To MW2PR02MB3899.namprd02.prod.outlook.com
(2603:10b6:907:4::28)
x-ms-exchange-messagesentrepresentingtype: 1
x-mailer: git-send-email 1.8.3.1
x-originating-ip: [192.146.154.1]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 58b28b9a-11c5-4544-2189-08d6a1216c05
x-microsoft-antispam: BCL:0; PCL:0;
RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(2017052603328)(7153060)(7193020);
SRVR:MW2PR02MB3737;
x-ms-traffictypediagnostic: MW2PR02MB3737:
x-proofpoint-crosstenant: true
x-microsoft-exchange-diagnostics: =?utf-8?q?1=3BMW2PR02MB3737=3B23=3APCE7?=
=?utf-8?q?wY5IuElIN38UiPw2SO3QCOdm03BnzWf+vHRJrnrA/nxj0+modZsiUh+3?=
=?utf-8?q?/gDeaQHaBGrggJLnZqcleNqHlycJdGIN1kzsBWZnCuUSAjJVEM03JCbM?=
=?utf-8?q?BKWq5qDyy9rJ+p+gnoLgwYYD4/tsx/pKekLAXqyhgYq0gq5+sMf+mVj8?=
=?utf-8?q?EXuw3PUKxY76j23Ydcj+M8hpu/f/ERiFnFmmJmMmch4XOgJ42eHm3K6c?=
=?utf-8?q?Uwd7pRQB7kRpm1Xnqb7KnVoiUet6ksr3U2eVE9ZtzQYayCoH+0FPvhzi?=
=?utf-8?q?F6jsTy9pYkCB4Du3KwrFdWmPS9A3y8J0FDVJsUfan6+A5k70M4eFwRPk?=
=?utf-8?q?7vO/8yJRjfUwq3ozMkEG/UFATkbITiKDzSIFMuyCK0JmbmIO4nOXkax6?=
=?utf-8?q?k5/avWIh03y+ms/6C9EyEeoXuFM4L8R7qGvReevUl4aEDzv3dpYoq+lw?=
=?utf-8?q?s6w2zlCB5Nb8SYxWMo2pjjZNZ3IEUNcInWrHswnYQXfLWURRMl7QuX/t?=
=?utf-8?q?QvSrSTwaElzATF5TqlahBQnRfCiBn6x/3rE66EJ95w+oMqWCbAFjkAP+?=
=?utf-8?q?ffmeKSo44+TxUbrStWGOEYqAtk9qwP/RHOfbTDMuxLiG7JjrN0zzb2Rw?=
=?utf-8?q?MV62DFyY77kPdZDpoeP4TrFbZ3zmkF5Ts9bpW1eyDD3wXSKAwEDj+KB0?=
=?utf-8?q?C6RAB+LTXUUw3jU3uJWjIu66L5IvNCrzkWfhFZ+yCd8No0VXA8AQZkti?=
=?utf-8?q?5NBEG0WR5kQ/3QbDbL4yRCYdvvm4w7K5bZcbqaTilVTc2u57o96s9S1j?=
=?utf-8?q?bsIIfBI2atTApAnOEKdCL5NTnrd6EwNWYuyohlidUCTunNeoHFXgl7nA?=
=?utf-8?q?QzmYeW2/Lghyc6fMgMInm5jrZRV71XYmX64qbgqDGqRYVYyBHdw8uZba?=
=?utf-8?q?ZoBqihLpAjb/G0db6LNumFSIku8qlJmkmFK04cmzDaoHi6Zpa14tzUsM?=
=?utf-8?q?q5LvE8fj2Irtxhv3QJ+lhOnT/hMuFtUMofhEYDCLB9CChHDNvzpP3dxB?=
=?utf-8?q?pQ0O6QYWj0mszd10GWa9uysA4taTRHWkLYj7eU0L+rAs7S87tqfzCLmt?=
=?utf-8?q?Rxq5mGvS8GTO1NwMRMJbvb6zj2gD9hplGNmhcWmGrcTROpudmgtO13v+?=
=?utf-8?q?q2qJqOSP7ucUA0owbCzCa7a73XSJftALZcSDjbVaN1lUce1zBP6ekPAM?=
=?utf-8?q?Gk91PKSOgjyaYSOIqh3JMgcMFUTZ20NpXCA/Drb2xAnlUIU5KMkChDc+?=
=?utf-8?q?AN3c7NYjm4f2Ro0SADftwuOzo5Nm6Ezuo8dbKj93gbXWP+fVBULLyYGH?=
=?utf-8?q?6dLD2AfQqkiKZrx1ysNPUcwFlgATXvk1zFFwMLg+CQWzoXAksoNRn2Za?=
=?utf-8?q?rzV5303XqC2tbcDKP25kgkGWguJW+4IRGOWGD98tvGv2WDgeDSqLYWRg?=
=?utf-8?q?m3qmFS/C5ot/ttouGrFWhHBybA=3D=3D?=
x-microsoft-antispam-prvs:
x-forefront-prvs: 0967749BC1
x-forefront-antispam-report: SFV:NSPM;
SFS:(10019020)(39860400002)(346002)(376002)(396003)(136003)(366004)(199004)(189003)(305945005)(25786009)(30864003)(99286004)(105586002)(6116002)(71200400001)(26005)(5640700003)(53936002)(66066001)(53946003)(2351001)(6512007)(6436002)(106356001)(4720700003)(478600001)(76176011)(52116002)(14454004)(36756003)(6916009)(6486002)(71190400001)(186003)(2906002)(256004)(4326008)(107886003)(81166006)(316002)(86362001)(476003)(446003)(66574012)(11346002)(8936002)(3846002)(2616005)(6506007)(68736007)(50226002)(81156014)(97736004)(102836004)(2501003)(14444005)(44832011)(8676002)(7736002)(5660300002)(486006)(386003)(64030200001)(579004);
DIR:OUT; SFP:1102; SCL:1; SRVR:MW2PR02MB3737;
H:MW2PR02MB3899.namprd02.prod.outlook.com; FPR:; SPF:None;
LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: nutanix.com does not designate
permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info:
pv10CxGbn0XOqi7sTiXDKJKJds5DlyHeAQ9YVjRdFMQr/FcPNQ9mCtpNCIqL6DwUesBUIzUPCu7BB04RGNKygjE3hpxAmkaUvHd7dO25GJJr/mrdsqudzUKTjH6nlXpYTSKD6g2LoNmbo//s0dDj15c71T6DkLx8ucITmEPe14dpofeCWwnvnr/JgFJtguhcLbr+EZI+XPH9htuTO/71QyAbCTFJg/Eiuj/K+iwRnsbSm019+OUblDXgrV7aA+VSmuR9g9qAhxIBIy7QWTmsBr0+rn5TS9AonifNaGOrrzSOxSF9TyBfG/7zY17bDTS+8/6ZDmoYPCHnd9FUNihdo+z8+uQcSnHvcDwP0zZcjS1O0kAI2GP5Tv4w0bvxDJwotvRzMrNH9l/kUmRm/qv5B8GdSgHfyjQI1MvJnG0LXT8=
MIME-Version: 1.0
X-OriginatorOrg: nutanix.com
X-MS-Exchange-CrossTenant-Network-Message-Id:
58b28b9a-11c5-4544-2189-08d6a1216c05
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Mar 2019 04:17:04.0293
(UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bb047546-786f-4de1-bd75-24e5b6f79043
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW2PR02MB3737
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, ,
definitions=2019-03-05_01:, , signatures=0
X-Proofpoint-Spam-Reason: safe
X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID, DKIM_VALID_AU, KHOP_DYNAMIC,
RCVD_IN_DNSWL_LOW autolearn=no version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
Subject: [ovs-dev] [RFC PATCH v2 1/3] OVN ACL: Replace the usage of ct_label
with ct_mark
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id:
List-Unsubscribe: ,
List-Archive:
List-Post:
List-Help:
List-Subscribe: ,
Sender: ovs-dev-bounces@openvswitch.org
Errors-To: ovs-dev-bounces@openvswitch.org
OVN ACL implementation used ct_label to indicate if a previosuly
allowed connection shoudl not be allowed anymore and vice versa.
However, ct_label is a 128 bit value and we should rather leverage
on ct_mark which is a 32 bit value.
Using ct_mark for this purpose, allows us to use ct_label for storing
other values like, identifier for corresponidng OVN ACL/Security group etc.
Signed-off-by: Ankur Sharma
---
Documentation/tutorials/ovn-openstack.rst | 12 ++++----
ovn/lib/logical-fields.c | 3 ++
ovn/northd/ovn-northd.8.xml | 14 ++++-----
ovn/northd/ovn-northd.c | 48 +++++++++++++++----------------
tests/ovn.at | 11 +++----
5 files changed, 46 insertions(+), 42 deletions(-)
diff --git a/Documentation/tutorials/ovn-openstack.rst b/Documentation/tutorials/ovn-openstack.rst
index c6dff5e..dfd18da 100644
--- a/Documentation/tutorials/ovn-openstack.rst
+++ b/Documentation/tutorials/ovn-openstack.rst
@@ -1201,7 +1201,7 @@ as the output port::
ct_next(ct_state=est|trk /* default (use --ct to customize) */)
---------------------------------------------------------------
- 6. ls_in_acl (ovn-northd.c:2925): !ct.new && ct.est && !ct.rpl && ct_label.blocked == 0 && (inport == "ap" && ip4), priority 2002, uuid a12b39f0
+ 6. ls_in_acl (ovn-northd.c:2925): !ct.new && ct.est && !ct.rpl && ct.blocked == 0 && (inport == "ap" && ip4), priority 2002, uuid a12b39f0
next;
13. ls_in_l2_lkup (ovn-northd.c:3529): eth.dst == fa:16:3e:f6:e2:8f, priority 50, uuid c43ead31
outport = "17d870";
@@ -1270,7 +1270,7 @@ Finally the logical switch for ``n2`` runs through the same logic as
ct_next(ct_state=est|trk /* default (use --ct to customize) */)
---------------------------------------------------------------
- 4. ls_out_acl (ovn-northd.c:2925): !ct.new && ct.est && !ct.rpl && ct_label.blocked == 0 && (outport == "cp" && ip4 && ip4.src == $as_ip4_0fc1b6cf_f925_49e6_8f00_6dd13beca9dc), priority 2002, uuid a746fa0d
+ 4. ls_out_acl (ovn-northd.c:2925): !ct.new && ct.est && !ct.rpl && ct.blocked == 0 && (outport == "cp" && ip4 && ip4.src == $as_ip4_0fc1b6cf_f925_49e6_8f00_6dd13beca9dc), priority 2002, uuid a746fa0d
next;
7. ls_out_port_sec_ip (ovn-northd.c:2364): outport == "cp" && eth.dst == fa:16:3e:89:f2:36 && ip4.dst == {255.255.255.255, 224.0.0.0/4, 10.1.2.7}, priority 90, uuid 4d9862b5
next;
@@ -1497,7 +1497,7 @@ firewall and is output to ``d``::
ct_next(ct_state=est|trk /* default (use --ct to customize) */)
---------------------------------------------------------------
- 4. ls_out_acl (ovn-northd.c:2925): !ct.new && ct.est && !ct.rpl && ct_label.blocked == 0 && (outport == "dp" && ip4 && ip4.src == 0.0.0.0/0 && icmp4), priority 2002, uuid b860fc9f
+ 4. ls_out_acl (ovn-northd.c:2925): !ct.new && ct.est && !ct.rpl && ct.blocked == 0 && (outport == "dp" && ip4 && ip4.src == 0.0.0.0/0 && icmp4), priority 2002, uuid b860fc9f
next;
7. ls_out_port_sec_ip (ovn-northd.c:2364): outport == "dp" && eth.dst == fa:16:3e:c1:f5:a2 && ip4.dst == {255.255.255.255, 224.0.0.0/4, 10.0.0.6}, priority 90, uuid 15655a98
next;
@@ -1609,7 +1609,7 @@ closely to those for IPv4 which we already discussed back under
ct_next(ct_state=est|trk /* default (use --ct to customize) */)
---------------------------------------------------------------
- 6. ls_in_acl (ovn-northd.c:2925): !ct.new && ct.est && !ct.rpl && ct_label.blocked == 0 && (inport == "ap" && ip6), priority 2002, uuid 7fdd607e
+ 6. ls_in_acl (ovn-northd.c:2925): !ct.new && ct.est && !ct.rpl && ct.blocked == 0 && (inport == "ap" && ip6), priority 2002, uuid 7fdd607e
next;
13. ls_in_l2_lkup (ovn-northd.c:3529): eth.dst == fa:16:3e:ef:2f:8b, priority 50, uuid e1d87fc5
outport = "ad952e";
@@ -1667,7 +1667,7 @@ closely to those for IPv4 which we already discussed back under
ct_next(ct_state=est|trk /* default (use --ct to customize) */)
---------------------------------------------------------------
- 4. ls_out_acl (ovn-northd.c:2925): !ct.new && ct.est && !ct.rpl && ct_label.blocked == 0 && (outport == "cp" && ip6 && ip6.src == $as_ip6_0fc1b6cf_f925_49e6_8f00_6dd13beca9dc), priority 2002, uuid 12fc96f9
+ 4. ls_out_acl (ovn-northd.c:2925): !ct.new && ct.est && !ct.rpl && ct.blocked == 0 && (outport == "cp" && ip6 && ip6.src == $as_ip6_0fc1b6cf_f925_49e6_8f00_6dd13beca9dc), priority 2002, uuid 12fc96f9
next;
7. ls_out_port_sec_ip (ovn-northd.c:2390): outport == "cp" && eth.dst == fa:16:3e:89:f2:36 && ip6.dst == {fe80::f816:3eff:fe89:f236, ff00::/8, fc22::7}, priority 90, uuid c622596a
next;
@@ -1858,7 +1858,7 @@ action replaces a DHCPDISCOVER or DHCPREQUEST packet by a
reply. Table 12 flips the packet's source and destination and sends
it back the way it came in::
- 6. ls_in_acl (ovn-northd.c:2925): !ct.new && ct.est && !ct.rpl && ct_label.blocked == 0 && (inport == "ap" && ip4 && ip4.dst == {255.255.255.255, 10.1.1.0/24} && udp && udp.src == 68 && udp.dst == 67), priority 2002, uuid 9c90245d
+ 6. ls_in_acl (ovn-northd.c:2925): !ct.new && ct.est && !ct.rpl && ct.blocked == 0 && (inport == "ap" && ip4 && ip4.dst == {255.255.255.255, 10.1.1.0/24} && udp && udp.src == 68 && udp.dst == 67), priority 2002, uuid 9c90245d
next;
11. ls_in_dhcp_options (ovn-northd.c:3409): inport == "ap" && eth.src == fa:16:3e:a9:4c:c7 && ip4.src == 0.0.0.0 && ip4.dst == 255.255.255.255 && udp.src == 68 && udp.dst == 67, priority 100, uuid 8d63f29c
reg0[3] = put_dhcp_opts(offerip = 10.1.1.5, lease_time = 43200, mtu = 1442, netmask = 255.255.255.0, router = 10.1.1.1, server_id = 10.1.1.1);
diff --git a/ovn/lib/logical-fields.c b/ovn/lib/logical-fields.c
index a8b5e3c..ad223b5 100644
--- a/ovn/lib/logical-fields.c
+++ b/ovn/lib/logical-fields.c
@@ -108,8 +108,11 @@ ovn_init_symtab(struct shash *symtab)
/* Connection tracking state. */
expr_symtab_add_field(symtab, "ct_mark", MFF_CT_MARK, NULL, false);
+ expr_symtab_add_subfield(symtab, "ct.blocked", NULL, "ct_mark[0]");
expr_symtab_add_field(symtab, "ct_label", MFF_CT_LABEL, NULL, false);
+
+ /* ct_label.blocked has been kept for backward compatibility. */
expr_symtab_add_subfield(symtab, "ct_label.blocked", NULL, "ct_label[0]");
expr_symtab_add_field(symtab, "ct_state", MFF_CT_STATE, NULL, false);
diff --git a/ovn/northd/ovn-northd.8.xml b/ovn/northd/ovn-northd.8.xml
index 392a5ef..6ea7af9 100644
--- a/ovn/northd/ovn-northd.8.xml
+++ b/ovn/northd/ovn-northd.8.xml
@@ -286,14 +286,14 @@
allow-related
ACLs translate into logical
- flows with the ct_commit(ct_label=0/1); next;
actions
+ flows with the ct_commit(ct_mark=0/1); next;
actions
for new connections and reg0[1] = 1; next;
for existing
connections.
Other ACLs translate to drop;
for new or untracked
- connections and ct_commit(ct_label=1/1);
for known
- connections. Setting ct_label
marks a connection
+ connections and ct_commit(ct_mark=1/1);
for known
+ connections. Setting ct_mark
marks a connection
as one that was previously allowed, but should no longer be
allowed due to a policy change.
@@ -319,12 +319,12 @@
A priority-65535 flow that allows any traffic in the reply
direction for a connection that has been committed to the
connection tracker (i.e., established flows), as long as
- the committed flow does not have ct_label.blocked
set.
+ the committed flow does not have ct.blocked
set.
We only handle traffic in the reply direction here because
we want all packets going in the request direction to still
go through the flows that implement the currently defined
policy based on ACLs. If a connection is no longer allowed by
- policy, ct_label.blocked
will get set and packets in the
+ policy, ct.blocked
will get set and packets in the
reply direction will no longer be allowed, either.
@@ -332,7 +332,7 @@
A priority-65535 flow that allows any traffic that is considered
related to a committed flow in the connection tracker (e.g., an
ICMP Port Unreachable from a non-listening UDP port), as long
- as the committed flow does not have ct_label.blocked
set.
+ as the committed flow does not have ct.blocked
set.
@@ -342,7 +342,7 @@
A priority-65535 flow that drops all trafic in the reply direction
- with ct_label.blocked
set meaning that the connection
+ with ct.blocked
set meaning that the connection
should no longer be allowed due to a policy change. Packets
in the request direction are skipped here to let a newly created
ACL re-allow this connection.
diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c
index 3569ea2..d0e85ce 100644
--- a/ovn/northd/ovn-northd.c
+++ b/ovn/northd/ovn-northd.c
@@ -3546,13 +3546,13 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od,
* It's also possible that a known connection was marked for
* deletion after a policy was deleted, but the policy was
* re-added while that connection is still known. We catch
- * that case here and un-set ct_label.blocked (which will be done
+ * that case here and un-set ct.blocked (which will be done
* by ct_commit in the "stateful" stage) to indicate that the
* connection should be allowed to resume.
*/
ds_put_format(&match, "((ct.new && !ct.est)"
" || (!ct.new && ct.est && !ct.rpl "
- "&& ct_label.blocked == 1)) "
+ "&& ct.blocked == 1)) "
"&& (%s)", acl->match);
ds_put_cstr(&actions, REGBIT_CONNTRACK_COMMIT" = 1; ");
build_acl_log(&actions, acl);
@@ -3573,7 +3573,7 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od,
ds_clear(&actions);
ds_put_format(&match,
"!ct.new && ct.est && !ct.rpl"
- " && ct_label.blocked == 0 && (%s)",
+ " && ct.blocked == 0 && (%s)",
acl->match);
build_acl_log(&actions, acl);
@@ -3599,7 +3599,7 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od,
/* If the packet is not part of an established connection, then
* we can simply reject/drop it. */
ds_put_cstr(&match,
- "(!ct.est || (ct.est && ct_label.blocked == 1))");
+ "(!ct.est || (ct.est && ct.blocked == 1))");
if (!strcmp(acl->action, "reject")) {
build_reject_acl_rules(od, lflows, stage, acl, &match,
&actions);
@@ -3611,11 +3611,11 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od,
acl->priority + OVN_ACL_PRI_OFFSET,
ds_cstr(&match), ds_cstr(&actions));
}
- /* For an existing connection without ct_label set, we've
+ /* For an existing connection without ct_mark set, we've
* encountered a policy change. ACLs previously allowed
* this connection and we committed the connection tracking
* entry. Current policy says that we should drop this
- * connection. First, we set bit 0 of ct_label to indicate
+ * connection. First, we set bit 0 of ct_mark to indicate
* that this connection is set for deletion. By not
* specifying "next;", we implicitly drop the packet after
* updating conntrack state. We would normally defer
@@ -3624,8 +3624,8 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od,
*/
ds_clear(&match);
ds_clear(&actions);
- ds_put_cstr(&match, "ct.est && ct_label.blocked == 0");
- ds_put_cstr(&actions, "ct_commit(ct_label=1/1); ");
+ ds_put_cstr(&match, "ct.est && ct.blocked == 0");
+ ds_put_cstr(&actions, "ct_commit(ct_mark=1/1); ");
if (!strcmp(acl->action, "reject")) {
build_reject_acl_rules(od, lflows, stage, acl, &match,
&actions);
@@ -3748,56 +3748,56 @@ build_acls(struct ovn_datapath *od, struct hmap *lflows,
* subsequent packets will hit the flow at priority 0 that just
* uses "next;"
*
- * We also check for established connections that have ct_label.blocked
+ * We also check for established connections that have ct.blocked
* set on them. That's a connection that was disallowed, but is
* now allowed by policy again since it hit this default-allow flow.
- * We need to set ct_label.blocked=0 to let the connection continue,
+ * We need to set ct.blocked=0 to let the connection continue,
* which will be done by ct_commit() in the "stateful" stage.
* Subsequent packets will hit the flow at priority 0 that just
* uses "next;". */
ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, 1,
- "ip && (!ct.est || (ct.est && ct_label.blocked == 1))",
+ "ip && (!ct.est || (ct.est && ct.blocked == 1))",
REGBIT_CONNTRACK_COMMIT" = 1; next;");
ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, 1,
- "ip && (!ct.est || (ct.est && ct_label.blocked == 1))",
+ "ip && (!ct.est || (ct.est && ct.blocked == 1))",
REGBIT_CONNTRACK_COMMIT" = 1; next;");
/* Ingress and Egress ACL Table (Priority 65535).
*
* Always drop traffic that's in an invalid state. Also drop
* reply direction packets for connections that have been marked
- * for deletion (bit 0 of ct_label is set).
+ * for deletion (bit 0 of ct_mark is set).
*
* This is enforced at a higher priority than ACLs can be defined. */
ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX,
- "ct.inv || (ct.est && ct.rpl && ct_label.blocked == 1)",
+ "ct.inv || (ct.est && ct.rpl && ct.blocked == 1)",
"drop;");
ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX,
- "ct.inv || (ct.est && ct.rpl && ct_label.blocked == 1)",
+ "ct.inv || (ct.est && ct.rpl && ct.blocked == 1)",
"drop;");
/* Ingress and Egress ACL Table (Priority 65535).
*
* Allow reply traffic that is part of an established
* conntrack entry that has not been marked for deletion
- * (bit 0 of ct_label). We only match traffic in the
+ * (bit 0 of ct_mark). We only match traffic in the
* reply direction because we want traffic in the request
* direction to hit the currently defined policy from ACLs.
*
* This is enforced at a higher priority than ACLs can be defined. */
ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX,
"ct.est && !ct.rel && !ct.new && !ct.inv "
- "&& ct.rpl && ct_label.blocked == 0",
+ "&& ct.rpl && ct.blocked == 0",
"next;");
ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX,
"ct.est && !ct.rel && !ct.new && !ct.inv "
- "&& ct.rpl && ct_label.blocked == 0",
+ "&& ct.rpl && ct.blocked == 0",
"next;");
/* Ingress and Egress ACL Table (Priority 65535).
*
* Allow traffic that is related to an existing conntrack entry that
- * has not been marked for deletion (bit 0 of ct_label).
+ * has not been marked for deletion (bit 0 of ct_mark).
*
* This is enforced at a higher priority than ACLs can be defined.
*
@@ -3807,11 +3807,11 @@ build_acls(struct ovn_datapath *od, struct hmap *lflows,
* that's generated from a non-listening UDP port. */
ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX,
"!ct.est && ct.rel && !ct.new && !ct.inv "
- "&& ct_label.blocked == 0",
+ "&& ct.blocked == 0",
"next;");
ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX,
"!ct.est && ct.rel && !ct.new && !ct.inv "
- "&& ct_label.blocked == 0",
+ "&& ct.blocked == 0",
"next;");
/* Ingress and Egress ACL Table (Priority 65535).
@@ -3989,13 +3989,13 @@ build_stateful(struct ovn_datapath *od, struct hmap *lflows)
ovn_lflow_add(lflows, od, S_SWITCH_OUT_STATEFUL, 0, "1", "next;");
/* If REGBIT_CONNTRACK_COMMIT is set as 1, then the packets should be
- * committed to conntrack. We always set ct_label.blocked to 0 here as
+ * committed to conntrack. We always set ct.blocked to 0 here as
* any packet that makes it this far is part of a connection we
* want to allow to continue. */
ovn_lflow_add(lflows, od, S_SWITCH_IN_STATEFUL, 100,
- REGBIT_CONNTRACK_COMMIT" == 1", "ct_commit(ct_label=0/1); next;");
+ REGBIT_CONNTRACK_COMMIT" == 1", "ct_commit(ct_mark=0/1); next;");
ovn_lflow_add(lflows, od, S_SWITCH_OUT_STATEFUL, 100,
- REGBIT_CONNTRACK_COMMIT" == 1", "ct_commit(ct_label=0/1); next;");
+ REGBIT_CONNTRACK_COMMIT" == 1", "ct_commit(ct_mark=0/1); next;");
/* If REGBIT_CONNTRACK_NAT is set as 1, then packets should just be sent
* through nat (without committing).
diff --git a/tests/ovn.at b/tests/ovn.at
index ec79651..0199cdc 100644
--- a/tests/ovn.at
+++ b/tests/ovn.at
@@ -160,7 +160,8 @@ AT_CLEANUP
dnl Check that the OVN conntrack field definitions are correct.
AT_SETUP([ovn -- conntrack fields])
AT_CHECK([ovstest test-ovn dump-symtab | grep ^ct | sort], [0],
-[[ct.dnat = ct_state[7]
+[[ct.blocked = ct_mark[0]
+ct.dnat = ct_state[7]
ct.est = ct_state[1]
ct.inv = ct_state[4]
ct.new = ct_state[0]
@@ -356,7 +357,7 @@ eth.src == {$set3, badmac, 00:00:00:00:00:01} => Syntax error at `badmac' expect
((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((())))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) => Parentheses nested too deeply.
-ct_label > $set4 => Only == and != operators may be used to compare a field against an empty value set.
+ct_mark > $set4 => Only == and != operators may be used to compare a field against an empty value set.
]])
sed 's/ =>.*//' test-cases.txt > input.txt
sed 's/.* => //' test-cases.txt > expout
@@ -703,10 +704,10 @@ ip,nw_src=10.0.0.2: conjunction(1, 1/2)
ip,nw_src=10.0.0.3: conjunction(1, 1/2)
])
-lflow="ip && (!ct.est || (ct.est && ct_label.blocked == 1))"
+lflow="ip && (!ct.est || (ct.est && ct.blocked == 1))"
AT_CHECK([expr_to_flow "$lflow"], [0], [dnl
-ct_state=+est+trk,ct_label=0x1/0x1,ip
-ct_state=+est+trk,ct_label=0x1/0x1,ipv6
+ct_state=+est+trk,ct_mark=0x1/0x1,ip
+ct_state=+est+trk,ct_mark=0x1/0x1,ipv6
ct_state=-est+trk,ip
ct_state=-est+trk,ipv6
])
From patchwork Tue Mar 5 04:17:05 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ankur Sharma
X-Patchwork-Id: 1051608
Return-Path:
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
spf=pass (mailfrom) smtp.mailfrom=openvswitch.org
(client-ip=140.211.169.12; helo=mail.linuxfoundation.org;
envelope-from=ovs-dev-bounces@openvswitch.org;
receiver=)
Authentication-Results: ozlabs.org;
dmarc=fail (p=none dis=none) header.from=nutanix.com
Authentication-Results: ozlabs.org;
dkim=fail reason="signature verification failed" (2048-bit key;
unprotected) header.d=nutanix.com header.i=@nutanix.com
header.b="YzfcDB+H"; dkim-atps=neutral
Received: from mail.linuxfoundation.org (mail.linuxfoundation.org
[140.211.169.12])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
bits)) (No client certificate requested)
by ozlabs.org (Postfix) with ESMTPS id 44D3tB45b8z9s4Y
for ;
Tue, 5 Mar 2019 15:33:22 +1100 (AEDT)
Received: from mail.linux-foundation.org (localhost [127.0.0.1])
by mail.linuxfoundation.org (Postfix) with ESMTP id 71870F111;
Tue, 5 Mar 2019 04:32:22 +0000 (UTC)
X-Original-To: ovs-dev@openvswitch.org
Delivered-To: ovs-dev@mail.linuxfoundation.org
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id 252B4EA39
for ; Tue, 5 Mar 2019 04:17:10 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from mx0b-002c1b01.pphosted.com (mx0b-002c1b01.pphosted.com
[148.163.155.12])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id E8826180
for ; Tue, 5 Mar 2019 04:17:08 +0000 (UTC)
Received: from pps.filterd (m0127841.ppops.net [127.0.0.1])
by mx0b-002c1b01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id
x254F0Oq024470
for ; Mon, 4 Mar 2019 20:17:08 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com;
h=from : to : cc :
subject : date : message-id : references : in-reply-to : content-type
:
content-transfer-encoding : mime-version; s=proofpoint20171006;
bh=QqWgjEqW3FKsprioGBnxTX99sb13ihxGZehgZEX3ZdI=;
b=YzfcDB+HTLiac7t2q40FPdOnFi4O7nGai4FTdZZZ9Y8p5jYd42p9n5B/nzYaEyo18n/Z
g+BqO1dzuoN2JZJit8P5zKcUWw4EVjPEMCeCFvhkkthzflQhD6q0yHK1773JuxJYSckB
1JLAA9snkiMDwG2PwMtwPy3H0NQDpJYRUdzaFNPa/GlWfENhsAEW5VhKqF39GV5ZTUTs
9NTyKzIDP/rXby7JcitsxMRxCfsL+L2PPYjt0MCCNKpngvzw51U67Gwty7x//JA02iXN
p+FeOVf/IO8D3OJyYluqmDJYGHWlkFeQJ+3AyyO3G0YoTmBfq9lSM7BT0jIRG0ac4fqw
7Q==
Received: from nam03-by2-obe.outbound.protection.outlook.com
(mail-by2nam03lp2054.outbound.protection.outlook.com [104.47.42.54])
by mx0b-002c1b01.pphosted.com with ESMTP id 2qyr8b4bvy-1
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT)
for ; Mon, 04 Mar 2019 20:17:08 -0800
Received: from MW2PR02MB3899.namprd02.prod.outlook.com (52.132.178.28) by
MW2PR02MB3737.namprd02.prod.outlook.com (52.132.177.138) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.1665.19; Tue, 5 Mar 2019 04:17:06 +0000
Received: from MW2PR02MB3899.namprd02.prod.outlook.com
([fe80::4976:1b78:f55b:3cfd]) by
MW2PR02MB3899.namprd02.prod.outlook.com
([fe80::4976:1b78:f55b:3cfd%8]) with mapi id 15.20.1665.020;
Tue, 5 Mar 2019 04:17:06 +0000
From: Ankur Sharma
To: "ovs-dev@openvswitch.org"
Thread-Topic: [RFC PATCH v2 2/3] OVN ACL: Allow ct_mark and ct_label values
to be set from register as well
Thread-Index: AQHU0wpKpaUTe6YjI0mHj5WhwLooqQ==
Date: Tue, 5 Mar 2019 04:17:05 +0000
Message-ID: <1551759463-61412-3-git-send-email-ankur.sharma@nutanix.com>
References: <1551759463-61412-1-git-send-email-ankur.sharma@nutanix.com>
In-Reply-To: <1551759463-61412-1-git-send-email-ankur.sharma@nutanix.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-clientproxiedby: BYAPR01CA0049.prod.exchangelabs.com (2603:10b6:a03:94::26)
To MW2PR02MB3899.namprd02.prod.outlook.com
(2603:10b6:907:4::28)
x-ms-exchange-messagesentrepresentingtype: 1
x-mailer: git-send-email 1.8.3.1
x-originating-ip: [192.146.154.1]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 1f676465-6c81-4a97-0e0d-08d6a1216d2d
x-microsoft-antispam: BCL:0; PCL:0;
RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(2017052603328)(7153060)(7193020);
SRVR:MW2PR02MB3737;
x-ms-traffictypediagnostic: MW2PR02MB3737:
x-proofpoint-crosstenant: true
x-microsoft-exchange-diagnostics: =?utf-8?q?1=3BMW2PR02MB3737=3B23=3AVz8v?=
=?utf-8?q?a1RFFQOiRvaN+NY2w4voCl1qQDTDBp0kjQ3Z5e2koZJ1q5iuxLhMWkDZ?=
=?utf-8?q?xaekwOvW2PQXsK8xuc9Uff/Cde1ONrjoMMIOTjhpmYHihQSJAeHzriNI?=
=?utf-8?q?AVdPzxJAmiYldHFHSERzCTISQvKPhNhrwvahCAONQqAvZeGKq0p8Z92t?=
=?utf-8?q?fUwKb7ZLOh5v3frBtf5G3NZCL20bBZJpXM9dfT3brBtCDLGNOqqnfzyZ?=
=?utf-8?q?QYU1KTHgqpxjP27exLKmpxfvDXn60aVk6R6Td4sFhd40zOg/BcHdDVGh?=
=?utf-8?q?LrqpOcabkYiwcy76GtZyS2svF+fIhw7rUqrtBwvD97uSjApqRXFIlUKy?=
=?utf-8?q?wfVS7ZmHFx4SQ/AGyShKEJYFjnYUQG2sA/Q6gCjFRtz6E6X97TW2YuSw?=
=?utf-8?q?D3xZV/NX5MwuRVuNAJPR0KGKPzjYimBu7uUYMjL4ZOQrxamrFKhK1MDs?=
=?utf-8?q?gfUQD5qTrfCcctO+7yQgnxboXgfAjbnZ66nfh9SO6W4n2t1e06nHvye1?=
=?utf-8?q?MPCnCsDHB7UFyYpzk84FsWAbj2QK0Kq1Vn8TKZBU3DjTKseNJre6kpRN?=
=?utf-8?q?6y7ZsqHZZFZvo+wxy7qWrpY/2P1RtL8U+WJkoyTR6DLFXfWRtcrkXlFM?=
=?utf-8?q?j4+5pI05J5aevmPmOTZ4VXKr9I6lpWjAbzsRi4fbx8Es4kWP3wZnVJOZ?=
=?utf-8?q?Yep2+GiRknEuCcb545eQT2ysos0cP3uUUdbQFDt31XJCTM62UUlkJ2da?=
=?utf-8?q?j9AxnccI9M8RpvrBRXLLIejpHroQnds07MuNl822V0F6Xod7nE7haYVD?=
=?utf-8?q?vD5ABe4hhzd1YLyDAOt7t+EKxkKifZUqiAnETNrbT+T6NKcV+AjIrQeC?=
=?utf-8?q?SxNZIjj4kgi2G7pMXJUtvzSLlCmRVlB9nQEqwe37j4NhvQ8pW7YV3aJq?=
=?utf-8?q?nAABu89u8NnDOi/cOejKKa+52G27jXZI9MfQVRTIrpq+xeaD0Qt5nBIq?=
=?utf-8?q?g1k5vLPAo9m1MhjtSM6RzEmojR4tDKjgfNp9z9NReGXyT1uGmjXmv4k/?=
=?utf-8?q?gyLpns5XAOLx7USdWF6BuWV9879ldN2WyqNhnrOEhwmBELl51PsHbVc2?=
=?utf-8?q?OBh2RKrEec599twgLhmsFCENMPHG07L0JqUVXIo49YFk0kRGRGKutcyg?=
=?utf-8?q?fE/THygElV7PC6a+VJX2aurWzGiT0fCXMrPNmusmlq+g0Ltlp8TSGG7S?=
=?utf-8?q?eRTnmLLq2Ku0gglsEf2fRSXGIrVt+NNFFj4FvQoUfubZZkiFRMjuQEGI?=
=?utf-8?q?3Y9TKrIlDd7Bi+dHWmjZIc2TWrIZ9xyElYxbwqYgvVOU0dIyCdWiKwKS?=
=?utf-8?q?HveU+pujH6+JoVhuN152xwkzKxzdULqrNbG8bD2gcWUCJczI8C3l?=
x-microsoft-antispam-prvs:
x-forefront-prvs: 0967749BC1
x-forefront-antispam-report: SFV:NSPM;
SFS:(10019020)(39860400002)(346002)(376002)(396003)(136003)(366004)(199004)(189003)(305945005)(25786009)(99286004)(105586002)(6116002)(71200400001)(26005)(5640700003)(53936002)(66066001)(2351001)(6512007)(6436002)(106356001)(4720700003)(478600001)(76176011)(52116002)(14454004)(36756003)(6916009)(6486002)(71190400001)(186003)(2906002)(256004)(4326008)(107886003)(81166006)(316002)(86362001)(476003)(446003)(11346002)(8936002)(3846002)(2616005)(6506007)(68736007)(50226002)(81156014)(97736004)(102836004)(2501003)(44832011)(8676002)(7736002)(5660300002)(486006)(386003)(64030200001);
DIR:OUT; SFP:1102; SCL:1; SRVR:MW2PR02MB3737;
H:MW2PR02MB3899.namprd02.prod.outlook.com; FPR:; SPF:None;
LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: nutanix.com does not designate
permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info:
JIb2w7MLnYV1tqJtrNxlJXrJY4h0ygIGofHCop7WU51gbAdHzWsUi+nJtZSAJnlmx6F6NCr6jNrrWcNQ8WyZjCaKMQuejulH72BVWn8MMPcM37AujiVpyBB67RjQDFTHlqJxslln1lVxKUOwgtKxzOoOpnzf0Pad5DvJeF8rTz3LSxPYtCaoBM/oCjXOhzVH3VmMfdZ1yRhYiYFUWnQJwtfF7NK90+sBJhbCXgBsLZQr/J6q9p8Oe2NBveE5KUekgbMwX9CnN9QWLyZVWm2rxQmLZqTn3GLJjoJZePDnmujcAaQmCmeDmQlMboWwOCkWhXZYtomfXvon8JWOwwzIbPnrklYAooYE8gFR+MEylGq7Q6IB52aipMtsFCfYjccxo+biR2Grybv3CpD36nW8KXXXGskDxH6hGWxXwj6TmxI=
MIME-Version: 1.0
X-OriginatorOrg: nutanix.com
X-MS-Exchange-CrossTenant-Network-Message-Id:
1f676465-6c81-4a97-0e0d-08d6a1216d2d
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Mar 2019 04:17:06.0368
(UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bb047546-786f-4de1-bd75-24e5b6f79043
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW2PR02MB3737
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, ,
definitions=2019-03-05_01:, , signatures=0
X-Proofpoint-Spam-Reason: safe
X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID, DKIM_VALID_AU, KHOP_DYNAMIC,
RCVD_IN_DNSWL_LOW autolearn=no version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
Subject: [ovs-dev] [RFC PATCH v2 2/3] OVN ACL: Allow ct_mark and ct_label
values to be set from register as well
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id:
List-Unsubscribe: ,
List-Archive:
List-Post:
List-Help:
List-Subscribe: ,
Sender: ovs-dev-bounces@openvswitch.org
Errors-To: ovs-dev-bounces@openvswitch.org
OVN allows only an integer (or masked integer) to be assigned to
ct_mark and ct_label.
This patch, enhances the parser code to allow ct_mark and ct_label
to be assigned from 32 bit registers (MFF_REG0 - MFF_REG15) and 128
bit registers (MFF_XXREG0 - MFF_XXREG3) respectively.
Signed-off-by: Ankur Sharma
---
include/ovn/actions.h | 3 ++
ovn/lib/actions.c | 77 +++++++++++++++++++++++++++++++++++++++++++++------
ovn/ovn-sb.xml | 20 +++++++------
tests/ovn.at | 16 +++++++++++
4 files changed, 99 insertions(+), 17 deletions(-)
diff --git a/include/ovn/actions.h b/include/ovn/actions.h
index 1c0c67c..58b96a1 100644
--- a/include/ovn/actions.h
+++ b/include/ovn/actions.h
@@ -24,6 +24,7 @@
#include "openvswitch/dynamic-string.h"
#include "openvswitch/hmap.h"
#include "openvswitch/uuid.h"
+#include "openvswitch/meta-flow.h"
#include "util.h"
struct expr;
@@ -196,8 +197,10 @@ struct ovnact_ct_next {
/* OVNACT_CT_COMMIT. */
struct ovnact_ct_commit {
struct ovnact ovnact;
+ bool is_ct_mark_reg, is_ct_label_reg; /* If the value is from a register */
uint32_t ct_mark, ct_mark_mask;
ovs_be128 ct_label, ct_label_mask;
+ enum mf_field_id ct_mark_reg, ct_label_reg;
};
/* OVNACT_CT_DNAT, OVNACT_CT_SNAT. */
diff --git a/ovn/lib/actions.c b/ovn/lib/actions.c
index 7b7a894..957bbce 100644
--- a/ovn/lib/actions.c
+++ b/ovn/lib/actions.c
@@ -627,8 +627,28 @@ parse_ct_commit_arg(struct action_context *ctx,
} else if (ctx->lexer->token.type == LEX_T_MASKED_INTEGER) {
cc->ct_mark = ntohll(ctx->lexer->token.value.integer);
cc->ct_mark_mask = ntohll(ctx->lexer->token.mask.integer);
+ } else if (ctx->lexer->token.type == LEX_T_ID) {
+
+ cc->ct_mark_mask = UINT32_MAX;
+
+ const struct mf_field *mf = mf_from_name(ctx->lexer->token.s);
+ if (mf) {
+
+ if (mf->id >= MFF_REG0 && mf->id <= MFF_REG15) {
+ cc->is_ct_mark_reg = true;
+ cc->ct_mark_reg = mf->id;
+ } else {
+ lexer_syntax_error(ctx->lexer, "input: %s, not a 32 bit "
+ "register", mf->name);
+ return;
+ }
+ } else {
+ lexer_syntax_error(ctx->lexer, "invalid field name: %s",
+ ctx->lexer->token.s);
+ return;
+ }
} else {
- lexer_syntax_error(ctx->lexer, "expecting integer");
+ lexer_syntax_error(ctx->lexer, "invalid token type");
return;
}
lexer_get(ctx->lexer);
@@ -642,9 +662,28 @@ parse_ct_commit_arg(struct action_context *ctx,
} else if (ctx->lexer->token.type == LEX_T_MASKED_INTEGER) {
cc->ct_label = ctx->lexer->token.value.be128_int;
cc->ct_label_mask = ctx->lexer->token.mask.be128_int;
+ } else if (ctx->lexer->token.type == LEX_T_ID) {
+
+ cc->ct_label_mask = OVS_BE128_MAX;
+ const struct mf_field *mf = mf_from_name(ctx->lexer->token.s);
+ if (mf) {
+ if (mf->id >= MFF_XXREG0 && mf->id <= MFF_XXREG3) {
+ cc->is_ct_label_reg = true;
+ cc->ct_label_reg = mf->id;
+ } else {
+ lexer_syntax_error(ctx->lexer, "input: %s, not a 128 bit "
+ "register", mf->name);
+ return;
+ }
+ } else {
+ lexer_syntax_error(ctx->lexer, "invalid field name: %s",
+ ctx->lexer->token.s);
+ return;
+ }
+
} else {
- lexer_syntax_error(ctx->lexer, "expecting integer");
- return;
+ lexer_syntax_error(ctx->lexer, "invalid token type");
+ return;
}
lexer_get(ctx->lexer);
} else {
@@ -713,14 +752,36 @@ encode_CT_COMMIT(const struct ovnact_ct_commit *cc,
ofpbuf_pull(ofpacts, set_field_offset);
if (cc->ct_mark_mask) {
- const ovs_be32 value = htonl(cc->ct_mark);
- const ovs_be32 mask = htonl(cc->ct_mark_mask);
- ofpact_put_set_field(ofpacts, mf_from_id(MFF_CT_MARK), &value, &mask);
+ if (cc->is_ct_mark_reg) {
+ struct ofpact_reg_move *move = ofpact_put_REG_MOVE(ofpacts);
+
+ move->src.field = mf_from_id(cc->ct_mark_reg);
+ move->src.ofs = 0;
+ move->src.n_bits = 32;
+ move->dst.field = mf_from_id(MFF_CT_MARK);
+ move->dst.ofs = 0;
+ move->dst.n_bits = 32;
+ } else {
+ const ovs_be32 value = htonl(cc->ct_mark);
+ const ovs_be32 mask = htonl(cc->ct_mark_mask);
+ ofpact_put_set_field(ofpacts, mf_from_id(MFF_CT_MARK), &value, &mask);
+ }
}
if (!ovs_be128_is_zero(cc->ct_label_mask)) {
- ofpact_put_set_field(ofpacts, mf_from_id(MFF_CT_LABEL), &cc->ct_label,
- &cc->ct_label_mask);
+ if (cc->is_ct_label_reg) {
+ struct ofpact_reg_move *move = ofpact_put_REG_MOVE(ofpacts);
+
+ move->src.field = mf_from_id(cc->ct_label_reg);
+ move->src.ofs = 0;
+ move->src.n_bits = 128;
+ move->dst.field = mf_from_id(MFF_CT_LABEL);
+ move->dst.ofs = 0;
+ move->dst.n_bits = 128;
+ } else {
+ ofpact_put_set_field(ofpacts, mf_from_id(MFF_CT_LABEL), &cc->ct_label,
+ &cc->ct_label_mask);
+ }
}
ofpacts->header = ofpbuf_push_uninit(ofpacts, set_field_offset);
diff --git a/ovn/ovn-sb.xml b/ovn/ovn-sb.xml
index 4e080ab..4b75ef8 100644
--- a/ovn/ovn-sb.xml
+++ b/ovn/ovn-sb.xml
@@ -1180,19 +1180,21 @@
ct_commit;
- ct_commit(ct_mark=value[/mask]);
- ct_commit(ct_label=value[/mask]);
- ct_commit(ct_mark=value[/mask], ct_label=value[/mask]);
+ ct_commit(ct_mark=(value[/mask] OR regX));
+ ct_commit(ct_label=(value[/mask] OR xxregX));
+ ct_commit(ct_mark=(value[/mask] OR regX), ct_label=(value[/mask] OR xxregX));
Commit the flow to the connection tracking entry associated with it
- by a previous call to ct_next
. When
- ct_mark=value[/mask]
and/or
- ct_label=value[/mask]
are supplied,
+ by a previous call to ct_next
. When
+ ct_mark=value[/mask] OR xxregX
and/or
+ ct_label=value[/mask] OR xxregX
are supplied,
ct_mark
and/or ct_label
will be set to the
- values indicated by value[/mask] on the connection
- tracking entry. ct_mark
is a 32-bit field.
- ct_label
is a 128-bit field. The value[/mask]
+ values indicated by value[/mask] or 32 bit/128 bit registers
+ on the connection tracking entry. ct_mark
is a 32-bit field
+ and hence will read value only from a 32 bit register (reg0 - reg9).
+ ct_label
is a 128-bit field and hence will read value only
+ from a 128 bit register (xxreg0 - xxreg1). The value[/mask]
should be specified in hex string if more than 64bits are to be used.
diff --git a/tests/ovn.at b/tests/ovn.at
index 0199cdc..d2c5187 100644
--- a/tests/ovn.at
+++ b/tests/ovn.at
@@ -1021,6 +1021,22 @@ ct_commit(ct_label=18446744073709551615);
ct_commit(ct_label=18446744073709551616);
Decimal constants must be less than 2**64.
+ct_commit(ct_label=xxreg1);
+ formats as ct_commit(ct_label=0);
+ encodes as ct(commit,zone=NXM_NX_REG13[0..15],exec(move:NXM_NX_XXREG1[]->NXM_NX_CT_LABEL[]))
+ has prereqs ip
+
+ct_commit(ct_mark=reg1);
+ formats as ct_commit(ct_mark=0);
+ encodes as ct(commit,zone=NXM_NX_REG13[0..15],exec(move:NXM_NX_REG1[]->NXM_NX_CT_MARK[]))
+ has prereqs ip
+
+ct_commit(ct_label=reg1);
+ Syntax error at `reg1' input: reg1, not a 128 bit register.
+
+ct_commit(ct_mark=xxreg1);
+ Syntax error at `xxreg1' input: xxreg1, not a 32 bit register.
+
# ct_dnat
ct_dnat;
encodes as ct(table=19,zone=NXM_NX_REG11[0..15],nat)
From patchwork Tue Mar 5 04:17:08 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ankur Sharma
X-Patchwork-Id: 1051609
Return-Path:
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
spf=pass (mailfrom) smtp.mailfrom=openvswitch.org
(client-ip=140.211.169.12; helo=mail.linuxfoundation.org;
envelope-from=ovs-dev-bounces@openvswitch.org;
receiver=)
Authentication-Results: ozlabs.org;
dmarc=fail (p=none dis=none) header.from=nutanix.com
Authentication-Results: ozlabs.org;
dkim=fail reason="signature verification failed" (2048-bit key;
unprotected) header.d=nutanix.com header.i=@nutanix.com
header.b="oaxa82jM"; dkim-atps=neutral
Received: from mail.linuxfoundation.org (mail.linuxfoundation.org
[140.211.169.12])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
bits)) (No client certificate requested)
by ozlabs.org (Postfix) with ESMTPS id 44D3tn0xt5z9s4Y
for ;
Tue, 5 Mar 2019 15:33:53 +1100 (AEDT)
Received: from mail.linux-foundation.org (localhost [127.0.0.1])
by mail.linuxfoundation.org (Postfix) with ESMTP id 4D7F3F126;
Tue, 5 Mar 2019 04:32:23 +0000 (UTC)
X-Original-To: ovs-dev@openvswitch.org
Delivered-To: ovs-dev@mail.linuxfoundation.org
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id 59D22EA39
for ; Tue, 5 Mar 2019 04:17:12 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from mx0b-002c1b01.pphosted.com (mx0b-002c1b01.pphosted.com
[148.163.155.12])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 810BD180
for ; Tue, 5 Mar 2019 04:17:11 +0000 (UTC)
Received: from pps.filterd (m0127842.ppops.net [127.0.0.1])
by mx0b-002c1b01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id
x254FRAf019671
for ; Mon, 4 Mar 2019 20:17:10 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com;
h=from : to : cc :
subject : date : message-id : references : in-reply-to : content-type
:
content-transfer-encoding : mime-version; s=proofpoint20171006;
bh=YeLkoUFwv5eK3L3h6IiBPXA40oXbELUjmVo6tLs95EA=;
b=oaxa82jM/HF8ugChQzNgtb4bRwISCANe1o4FrBpLrcrdePrbYwATPQKGm48BXhzuGWF7
ZKo0sx3e2uUkblKgs8r79TGw49MduWl6+4YOWCIVofZOGO80JFlnzI+Z/9EYnbOB6Z29
4gltsw2pQkgDmgAhjRb18wua64wYFOsF73BlFjBTyJsGyb9vNZLwujpFF95BSggV3mtc
w4HV45NpUOKQvbz60EVP/qvDO7ozols6CujLSXL8auNUk8lS83OfqT603L3vQd8xitNH
Nz16tgJ+IlRoTGkHDb62sYWq8hkfyfvu8s6pFFWCZIhtp0J9LsOePNl3le561u6+yfCy
1Q==
Received: from nam03-by2-obe.outbound.protection.outlook.com
(mail-by2nam03lp2056.outbound.protection.outlook.com [104.47.42.56])
by mx0b-002c1b01.pphosted.com with ESMTP id 2qyt1jc7dq-1
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT)
for ; Mon, 04 Mar 2019 20:17:10 -0800
Received: from MW2PR02MB3899.namprd02.prod.outlook.com (52.132.178.28) by
MW2PR02MB3737.namprd02.prod.outlook.com (52.132.177.138) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.1665.19; Tue, 5 Mar 2019 04:17:08 +0000
Received: from MW2PR02MB3899.namprd02.prod.outlook.com
([fe80::4976:1b78:f55b:3cfd]) by
MW2PR02MB3899.namprd02.prod.outlook.com
([fe80::4976:1b78:f55b:3cfd%8]) with mapi id 15.20.1665.020;
Tue, 5 Mar 2019 04:17:08 +0000
From: Ankur Sharma
To: "ovs-dev@openvswitch.org"
Thread-Topic: [RFC PATCH v2 3/3] OVN ACL: Allow a user to input ct.label
value for an acl
Thread-Index: AQHU0wpMTznzYl/AekSHC8L4cjg0sw==
Date: Tue, 5 Mar 2019 04:17:08 +0000
Message-ID: <1551759463-61412-4-git-send-email-ankur.sharma@nutanix.com>
References: <1551759463-61412-1-git-send-email-ankur.sharma@nutanix.com>
In-Reply-To: <1551759463-61412-1-git-send-email-ankur.sharma@nutanix.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-clientproxiedby: BYAPR01CA0049.prod.exchangelabs.com (2603:10b6:a03:94::26)
To MW2PR02MB3899.namprd02.prod.outlook.com
(2603:10b6:907:4::28)
x-ms-exchange-messagesentrepresentingtype: 1
x-mailer: git-send-email 1.8.3.1
x-originating-ip: [192.146.154.1]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d01e7718-0a8b-40b9-0642-08d6a1216eb5
x-microsoft-antispam: BCL:0; PCL:0;
RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(2017052603328)(7153060)(7193020);
SRVR:MW2PR02MB3737;
x-ms-traffictypediagnostic: MW2PR02MB3737:
x-proofpoint-crosstenant: true
x-microsoft-exchange-diagnostics: =?utf-8?q?1=3BMW2PR02MB3737=3B23=3Agf07?=
=?utf-8?q?InBvCe/aN89do3Kz3yBSEU9LXEp+qVUnzUpId1qVCMd7ckrIzATb2uy0?=
=?utf-8?q?eIJ/4F90MDEPIHi57ts/m6+vbsiUBrtBEXBfdaGv4xlLjXZWa7il9VTP?=
=?utf-8?q?cNse6wEyrugLLfCRAjBF6OKBTg/TltYFu5oCzGSBi2NNfpcaAtsH5lHA?=
=?utf-8?q?hfTEIqrR+2qzYzWqmhMMcxektS+Cyi4d7Az2K7WB+GAfdmOhszZtuUW4?=
=?utf-8?q?SbX4dunT+XzDcgT97Oqb//IVax+3akNy1KdG2b8T7O+kRFAGANui1Vd8?=
=?utf-8?q?m30oIRVp4zf6uPvXBXnn11EW8AAZQY6SogMfZ96us3WI8GONPlDaB3h5?=
=?utf-8?q?ChDzML8YUghA+D6pvKqRWO3OIVA2C6AVlzPlN0Aug1on1z5nQzHr1slz?=
=?utf-8?q?qcC6l9VmjN7SK4SRsvCcFlI5jVejoYNDNI7ivFb41RC2tItCb/qENTte?=
=?utf-8?q?o8t6EUQvvQiYYzmiiK1kcZZao2h7U7N6mgLb+U1P6kLCI3gAyFp0VFfg?=
=?utf-8?q?vzzVzja++Tit3Q3O8t1Kz1etqEo5WUjDSEE2MIzhCaldrxJwy/+IAb0t?=
=?utf-8?q?MZBOTJScSP4NJ4/U1eL5CyqnJxfsUvAHoSoNOJJzCM+jqkQ57YcbMALQ?=
=?utf-8?q?J3n5fpm2RyH4Dxdq3qHGSPsMRJQNulPcrYZRkAb2fS8ie67R0r9Uoxh+?=
=?utf-8?q?WYwOTN0vQjK/6c7NzDDmzhc97tGKGx0zFjFD5vDAVJ5A70aLdOL+8eAm?=
=?utf-8?q?vD4hyC5Ku+l8PSESYd4fQLdHtGaLdRjix9Q5/JcVvUXu9KfuXg2AxEUo?=
=?utf-8?q?yb1gPwbApHR3LSrmiobmAI91SAMnInFFSm7voMMETiNPnyCAgsOWSawR?=
=?utf-8?q?nc6VsC2XWUvig+J/L01+Ltv9m4GwJyYnltfRh9Cx/EMXxQulS38Rr2uO?=
=?utf-8?q?IMaol9XUspcwTtUfMU9TXvqzhtniaGjxgV70NxwpaCbRQ1BCKLCi+jkF?=
=?utf-8?q?luokBPup2LB+/jbCKrfjgvhyXyvJWHIgsqkAHp/hKutGHFG17TnjNyZv?=
=?utf-8?q?f/sZngyOWWeEc8E/N2fbUGwawnpZnsdssPLF/zCO7XmQ15lU27zZzxVU?=
=?utf-8?q?BOgu+01q62bV2Mf3I/bKOypttbtGwCk4RYq7WpBqbt2AxIi55mOYfojn?=
=?utf-8?q?EXx2slj7zWpEdvb7Z0MdggVdiHegWBj6xWqshJoODScOwirLRkj9qirh?=
=?utf-8?q?xOewwMCjzm0lUZvHL19UiYwra9fbNB+dR8TSMNkRPuipOCtTKAE1k66D?=
=?utf-8?q?RW7eYLCoo66sOXL63TnGBUsBM8jItcMsT6jBRIpWzRnjyXOD70yHb+NO?=
=?utf-8?q?e07FA/guQmetpOsc01rLJZgPtKXllfZ8/vkEzKUzsbtfeDXqczrVtKYZ?=
=?utf-8?q?4jy0kvIJVVdwGCXG4A=3D=3D?=
x-microsoft-antispam-prvs:
x-forefront-prvs: 0967749BC1
x-forefront-antispam-report: SFV:NSPM;
SFS:(10019020)(39860400002)(346002)(376002)(396003)(136003)(366004)(199004)(189003)(305945005)(25786009)(99286004)(105586002)(6116002)(71200400001)(26005)(5640700003)(53936002)(66066001)(2351001)(6512007)(6436002)(106356001)(4720700003)(478600001)(76176011)(52116002)(14454004)(36756003)(6916009)(6486002)(71190400001)(186003)(2906002)(256004)(4326008)(107886003)(81166006)(316002)(86362001)(476003)(446003)(11346002)(8936002)(3846002)(2616005)(6506007)(68736007)(50226002)(81156014)(97736004)(102836004)(2501003)(14444005)(5024004)(44832011)(8676002)(7736002)(5660300002)(486006)(386003)(64030200001);
DIR:OUT; SFP:1102; SCL:1; SRVR:MW2PR02MB3737;
H:MW2PR02MB3899.namprd02.prod.outlook.com; FPR:; SPF:None;
LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: nutanix.com does not designate
permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info:
t4NlxyeAreX5UNwWihGSBmyadvUf/26Ck6JBNKq0tbjmF/oEstzKf17xw3pjfToUygPf11hV8Wb818VNu+zCuu+03vg0Z+ySdWNzVGuLDHxoYWow2W980ggKHychsHFkgoc/bQckWyEXhRaHsqaCS+W8tBaDB0d2/deqSfUXkkLZpHJHko7uvAyQdnmIf73J/Yd0ZT2+Z996R/rxp8vRFVXENDy1Su2gCL6ifK/9qgzfu8RsP7AytuBgXklrqRra3Wn64L9weKaa/FvAnwa8MdbX5pZ3+T0dRvtf6bsMT19D1gcRcnakFwlH+eT3+4qZhRwBZy1sbvSuE9MUeQQOVYvZM5P7kX4DCYshiMiSUXyXUb/asTat6LM6rKsFWTEOShOE5oMp7FLc3ADDtDnPCQgGy5I6vcEZFEJaP7abGJw=
MIME-Version: 1.0
X-OriginatorOrg: nutanix.com
X-MS-Exchange-CrossTenant-Network-Message-Id:
d01e7718-0a8b-40b9-0642-08d6a1216eb5
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Mar 2019 04:17:08.5505
(UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bb047546-786f-4de1-bd75-24e5b6f79043
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW2PR02MB3737
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, ,
definitions=2019-03-05_01:, , signatures=0
X-Proofpoint-Spam-Reason: safe
X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID, DKIM_VALID_AU, KHOP_DYNAMIC,
RCVD_IN_DNSWL_LOW autolearn=no version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
Subject: [ovs-dev] [RFC PATCH v2 3/3] OVN ACL: Allow a user to input
ct.label value for an acl
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id:
List-Unsubscribe: ,
List-Archive:
List-Post:
List-Help:
List-Subscribe: ,
Sender: ovs-dev-bounces@openvswitch.org
Errors-To: ovs-dev-bounces@openvswitch.org
This patch allows user to associate a value with acl,
which will be assigned to ct.label of the corresponding
connection tracking entry.
This value can be used to map a ct entry with corresponding
OVN ACL or higher level constructs like security group.
Signed-off-by: Ankur Sharma
---
ovn/northd/ovn-northd.c | 37 ++++++++++++++++++++++++------
ovn/ovn-nb.ovsschema | 5 +++--
ovn/ovn-nb.xml | 12 ++++++++++
ovn/utilities/ovn-nbctl.c | 24 +++++++++++++++++++-
tests/ovn-nbctl.at | 12 ++++++++--
tests/ovn.at | 57 +++++++++++++++++++++++++++++++++++++++++++++++
6 files changed, 135 insertions(+), 12 deletions(-)
diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c
index d0e85ce..d490a95 100644
--- a/ovn/northd/ovn-northd.c
+++ b/ovn/northd/ovn-northd.c
@@ -166,12 +166,13 @@ enum ovn_stage {
#define OVN_ACL_PRI_OFFSET 1000
/* Register definitions specific to switches. */
-#define REGBIT_CONNTRACK_DEFRAG "reg0[0]"
-#define REGBIT_CONNTRACK_COMMIT "reg0[1]"
-#define REGBIT_CONNTRACK_NAT "reg0[2]"
-#define REGBIT_DHCP_OPTS_RESULT "reg0[3]"
-#define REGBIT_DNS_LOOKUP_RESULT "reg0[4]"
-#define REGBIT_ND_RA_OPTS_RESULT "reg0[5]"
+#define REGBIT_CONNTRACK_DEFRAG "reg0[0]"
+#define REGBIT_CONNTRACK_COMMIT "reg0[1]"
+#define REGBIT_CONNTRACK_NAT "reg0[2]"
+#define REGBIT_CONNTRACK_SET_LABEL "reg0[3]"
+#define REGBIT_DHCP_OPTS_RESULT "reg0[4]"
+#define REGBIT_DNS_LOOKUP_RESULT "reg0[5]"
+#define REGBIT_ND_RA_OPTS_RESULT "reg0[6]"
/* Register definitions for switches and routers. */
#define REGBIT_NAT_REDIRECT "reg9[0]"
@@ -3554,7 +3555,14 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od,
" || (!ct.new && ct.est && !ct.rpl "
"&& ct.blocked == 1)) "
"&& (%s)", acl->match);
- ds_put_cstr(&actions, REGBIT_CONNTRACK_COMMIT" = 1; ");
+ if (acl->label) {
+ ds_put_format(&actions, REGBIT_CONNTRACK_COMMIT" = 1; "
+ ""REGBIT_CONNTRACK_SET_LABEL" = 1; "
+ "xxreg1 = %s; ", acl->label);
+ } else {
+ ds_put_cstr(&actions, REGBIT_CONNTRACK_COMMIT" = 1; ");
+ }
+
build_acl_log(&actions, acl);
ds_put_cstr(&actions, "next;");
ovn_lflow_add_with_hint(lflows, od, stage,
@@ -3988,6 +3996,21 @@ build_stateful(struct ovn_datapath *od, struct hmap *lflows)
ovn_lflow_add(lflows, od, S_SWITCH_IN_STATEFUL, 0, "1", "next;");
ovn_lflow_add(lflows, od, S_SWITCH_OUT_STATEFUL, 0, "1", "next;");
+ /* If REGBIT_CONNTRACK_COMMIT is set as 1 and
+ * REGBIT_CONNTRACK_SET_LABEL is set to 1, then the packets should be
+ * committed to conntrack.
+ * We always set ct_mark.blocked to 0 here as
+ * any packet that makes it this far is part of a connection we
+ * want to allow to continue. */
+ ovn_lflow_add(lflows, od, S_SWITCH_IN_STATEFUL, 150,
+ REGBIT_CONNTRACK_COMMIT" == 1 && "
+ ""REGBIT_CONNTRACK_SET_LABEL" == 1",
+ "ct_commit(ct_mark=0/1, ct_label=xxreg1); next;");
+ ovn_lflow_add(lflows, od, S_SWITCH_OUT_STATEFUL, 150,
+ REGBIT_CONNTRACK_COMMIT" == 1 && "
+ ""REGBIT_CONNTRACK_SET_LABEL" == 1",
+ "ct_commit(ct_mark=0/1, ct_label=xxreg1); next;");
+
/* If REGBIT_CONNTRACK_COMMIT is set as 1, then the packets should be
* committed to conntrack. We always set ct.blocked to 0 here as
* any packet that makes it this far is part of a connection we
diff --git a/ovn/ovn-nb.ovsschema b/ovn/ovn-nb.ovsschema
index 10a5964..df7a8bc 100644
--- a/ovn/ovn-nb.ovsschema
+++ b/ovn/ovn-nb.ovsschema
@@ -1,7 +1,7 @@
{
"name": "OVN_Northbound",
- "version": "5.14.1",
- "cksum": "3758097843 20509",
+ "version": "5.15.0",
+ "cksum": "1465081421 20583",
"tables": {
"NB_Global": {
"columns": {
@@ -171,6 +171,7 @@
"debug"]]},
"min": 0, "max": 1}},
"meter": {"type": {"key": "string", "min": 0, "max": 1}},
+ "label": {"type": {"key": "string", "min": 0, "max": 1}},
"external_ids": {
"type": {"key": "string", "value": "string",
"min": 0, "max": "unlimited"}}},
diff --git a/ovn/ovn-nb.xml b/ovn/ovn-nb.xml
index 1839650..8ed639c 100644
--- a/ovn/ovn-nb.xml
+++ b/ovn/ovn-nb.xml
@@ -1219,6 +1219,18 @@
default, log messages are not rate-limited.
+
+
+
+ Associates an identifier with the ACL.
+ Same value will be written to corresponding connection
+ tracker entry. Value should be in hex, for example: 0x1234.
+ This value can help in debugging from connection tracker side,
+ for example, through this "label" we can backtrack to the ACL rule
+ which is causing a "leaked" connection.
+
+
+
diff --git a/ovn/utilities/ovn-nbctl.c b/ovn/utilities/ovn-nbctl.c
index 8a72e95..aded264 100644
--- a/ovn/utilities/ovn-nbctl.c
+++ b/ovn/utilities/ovn-nbctl.c
@@ -2026,6 +2026,11 @@ nbctl_acl_list(struct ctl_context *ctx)
ds_chomp(&ctx->output, ',');
ds_put_cstr(&ctx->output, ")");
}
+
+ if (acl->label) {
+ ds_put_format(&ctx->output, " label=%s", acl->label);
+ }
+
ds_put_cstr(&ctx->output, "\n");
}
@@ -2147,6 +2152,23 @@ nbctl_acl_add(struct ctl_context *ctx)
nbrec_acl_set_meter(acl, meter);
}
+ /* Label */
+ const char *label = shash_find_data(&ctx->options, "--label");
+ if (label) {
+ // Validate that label is in the hex format (for eg: 0x1234)
+ if (strncmp(label, "0x", 2)) {
+ ctl_error(ctx, "Label: %s, should start with \"0x\"", label);
+ return;
+ }
+
+ if (label[strspn(label+2, "0123456789abcdefABCDEF") + 2]) {
+ ctl_error(ctx, "Label: %s, should be in hex format", label);
+ return;
+ }
+
+ nbrec_acl_set_label(acl, label);
+ }
+
/* Check if same acl already exists for the ls/portgroup */
size_t n_acls = pg ? pg->n_acls : ls->n_acls;
struct nbrec_acl **acls = pg ? pg->acls : ls->acls;
@@ -5084,7 +5106,7 @@ static const struct ctl_command_syntax nbctl_commands[] = {
/* acl commands. */
{ "acl-add", 5, 6, "{SWITCH | PORTGROUP} DIRECTION PRIORITY MATCH ACTION",
NULL, nbctl_acl_add, NULL,
- "--log,--may-exist,--type=,--name=,--severity=,--meter=", RW },
+ "--log,--may-exist,--type=,--name=,--severity=,--meter=,--label=", RW },
{ "acl-del", 1, 4, "{SWITCH | PORTGROUP} [DIRECTION [PRIORITY MATCH]]",
NULL, nbctl_acl_del, NULL, "--type=", RW },
{ "acl-list", 1, 1, "{SWITCH | PORTGROUP}",
diff --git a/tests/ovn-nbctl.at b/tests/ovn-nbctl.at
index f884fc7..5607d74 100644
--- a/tests/ovn-nbctl.at
+++ b/tests/ovn-nbctl.at
@@ -210,19 +210,27 @@ ovn_nbctl_test_acl() {
AT_CHECK([ovn-nbctl $2 acl-add $1 from-lport 400 tcp drop])
AT_CHECK([ovn-nbctl $2 acl-add $1 to-lport 300 tcp drop])
AT_CHECK([ovn-nbctl $2 acl-add $1 from-lport 200 ip drop])
- AT_CHECK([ovn-nbctl $2 acl-add $1 to-lport 100 ip drop])
+ AT_CHECK([ovn-nbctl $2 --label=0x1234 acl-add $1 to-lport 100 ip drop])
+
dnl Add duplicated ACL
AT_CHECK([ovn-nbctl $2 acl-add $1 to-lport 100 ip drop], [1], [], [stderr])
AT_CHECK([grep 'already existed' stderr], [0], [ignore])
AT_CHECK([ovn-nbctl $2 --may-exist acl-add $1 to-lport 100 ip drop])
+ dnl Add invalid ACL label
+ AT_CHECK([ovn-nbctl $2 --label=1234 acl-add $1 to-lport 50 ip drop], [1], [], [stderr])
+ AT_CHECK([grep 'should start with "0x"' stderr], [0], [ignore])
+
+ AT_CHECK([ovn-nbctl $2 --label=0xagh acl-add $1 to-lport 50 ip drop], [1], [], [stderr])
+ AT_CHECK([grep 'should be in hex format' stderr], [0], [ignore])
+
AT_CHECK([ovn-nbctl $2 acl-list $1], [0], [dnl
from-lport 600 (udp) drop log()
from-lport 400 (tcp) drop
from-lport 200 (ip) drop
to-lport 500 (udp) drop log(name=test,severity=info)
to-lport 300 (tcp) drop
- to-lport 100 (ip) drop
+ to-lport 100 (ip) drop label=0x1234
])
dnl Delete in one direction.
diff --git a/tests/ovn.at b/tests/ovn.at
index d2c5187..9a9d0f5 100644
--- a/tests/ovn.at
+++ b/tests/ovn.at
@@ -11511,6 +11511,63 @@ AT_CHECK([cat 2.packets], [0], [])
AT_CLEANUP
+AT_SETUP([ovn -- ACL label])
+AT_KEYWORDS([ovn])
+ovn_start
+
+net_add n1
+
+sim_add hv
+as hv
+ovs-vsctl add-br br-phys
+ovn_attach n1 br-phys 192.168.0.1
+for i in lp1 lp2; do
+ ovs-vsctl -- add-port br-int $i -- \
+ set interface $i external-ids:iface-id=$i \
+ options:tx_pcap=hv/$i-tx.pcap \
+ options:rxq_pcap=hv/$i-rx.pcap
+done
+
+lp1_mac="f0:00:00:00:00:01"
+lp1_ip="192.168.1.2"
+
+lp2_mac="f0:00:00:00:00:02"
+lp2_ip="192.168.1.3"
+
+ovn-nbctl ls-add lsw0
+ovn-nbctl --wait=sb lsp-add lsw0 lp1
+ovn-nbctl --wait=sb lsp-add lsw0 lp2
+ovn-nbctl lsp-set-addresses lp1 $lp1_mac
+ovn-nbctl lsp-set-addresses lp2 $lp2_mac
+ovn-nbctl --wait=sb sync
+
+ovn-nbctl --label=0x1234 acl-add lsw0 to-lport 1000 'tcp.dst==82' allow-related
+
+ovn-sbctl dump-flows
+
+# Check logical flow
+AT_CHECK([ovn-sbctl dump-flows | grep ls_out_acl | grep "xxreg1 = 0x1234;" | wc -l], [0], [dnl
+1
+])
+
+AT_CHECK([ovn-sbctl dump-flows | grep ls_out_stateful | grep "ct_label=xxreg1" | wc -l], [0], [dnl
+1
+])
+
+# Send packet.
+packet="inport==\"lp1\" && eth.src==$lp1_mac && eth.dst==$lp2_mac &&
+ ip4 && ip.ttl==64 && ip4.src==$lp1_ip && ip4.dst==$lp2_ip &&
+ tcp && tcp.flags==2 && tcp.src==4362 && tcp.dst==82"
+as hv ovs-appctl -t ovn-controller inject-pkt "$packet"
+
+# Check connection tracker state
+AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep labels=0x1234 | wc -l], [0], [dnl
+1
+])
+
+OVN_CLEANUP([hv])
+AT_CLEANUP
+
AT_SETUP([ovn -- TTL exceeded])
AT_KEYWORDS([ttl-exceeded])
AT_SKIP_IF([test $HAVE_PYTHON = no])